Part 5: Building Your Threat Management Program
Crisis Ready® organizations start with a mindset that it’s not about the tools, it’s how you use them. In this post, I’m going to talk about how to get out of a reactive, response-focused threat management mindset and build a Crisis Ready® Threat Management Program.
It is important to remember that crisis readiness is cultural and requires an operational mindset. An effective threat management program should be implemented in concert with the broader crisis management operations necessary to mitigate threats and reduce the overall threat landscape. It goes beyond situational awareness and telling your team, “don’t mess it up” when something disruptive happens.
An effective threat management program:
- Identifies and focuses on critical assets, personnel, data, and services that the organization defines as valuable.
- Monitors the environment to detect and identify threats proactively.
- Assesses threats to determine the individual level of risk within the identified areas of concern.
- Applies an all-hazards mindset, including implementing strategies focused on individual threats, and parts of the organization vulnerable to or targeted by those threats.
- Engages threats comprehensively and individually to detect, deter, and mitigate.
Crisis Ready® Threat Management
A holistic threat management program combines physical security, personnel assurance, and information-centric principles. Its objectives are to understand how a threat interacts with your organization, monitor those points of interaction, and intervene to manage those interactions when they become hazardous to the organization.
An Effective and Wholistic Approach is Cultural
A strong foundation for threat management includes a set of values that are shared and acted upon by everyone in your organization. This foundation helps to shape the way people think about threats in terms of how they impact people, assets, and information, and the approach they should take when observing threat indicators in their environment.
A protective culture gives people confidence that a threat management program is supportive and proactive in nature. This involves creating an organizational climate of accountability and mutual respect, generating a positive community-focused culture that encourages communication and reporting to detect, assess, and manage threats.
Determining organizational expectations and effectively communicating them is vital to creating and sustaining such a protective and supportive culture. Best practices to accomplish this include:
- Clearly identifying behaviors expected from individuals to keep themselves and organizational assets safe and secure.
- Communicating how those behaviors differ depending on the role or responsibilities of an individual or group within your organization.
- Establishing the behaviors expected from vendors, contractors, or visitors when they are physically or virtually engaged with your organization.
Accountability vs. Blame
Ensuring that the members of your organization are educated about the dynamics of the threat environment that you operate within is critical to establishing a culture of readiness. It starts with letting them know that they will likely be in a position to detect and identify threats. Train your people to identify and report threats, including how to make those reports—including anonymous reporting—and emphasize that reporting is intended to help prevent an incident, not to get anybody in trouble.
Sharing details on how a threat will be assessed once a report is made can also help overcome resistance to reporting, increase organizational trust, and help to mitigate fear or misinformation about your threat management program.
Establishing a focus on accountability versus blame for human-driven threats plays a role in creating that protective culture. Assigning blame can be counter-productive, and can discourage reporting, even when the potential consequences of an incident are high. Still, a blame-free environment does not mean that individuals are not accountable for their actions. Providing people an opportunity to acknowledge their responsibility in an incident while involving them in addressing the consequences can reduce the potential for recurrence.
Remain Adaptive as Your Risk Tolerance Evolves
Threat management is an evolving challenge, requiring adaptive and resilient practices to address the dynamic environment. It involves rapidly changing tools, technologies, and organizational priorities. Best practices to remain adaptive include:
- Maintain a continuous improvement mindset, taking advantage of best practices and lessons learned from the broader threat management community
- Maintain a dynamic threat registry, updated with regular threat assessment and risk analysis activities.
- Leverage information sharing, lessons learned, and best practices from authoritative agencies and non-governmental organizations who can provide a broad collection of reference and advisory materials
Keys for Success with Crisis Ready® Threat Management
Know Your People.
To achieve a practical level of personnel assurance, your organization must know and engage your people. You must incorporate continuous accountability processes as part of a protective culture and engage people with regular and constant awareness support, education, and training.
Identify Your Organization’s Assets and Prioritize Risks.
Understanding what you value, and what could possibly damage or disrupt those assets, is essential for an effective threat management program. A full understanding of those assets will allow the proper and effective management of associated risks. A proven approach begins with determining where your organization’s assets are located and who has access to them. This will allow a broader classification of the risk to each asset and enable the development of risk-driven mitigation strategies.
Establish the Proven Operational Approach of Detect-Assess-Manage.
Best practices for threat management engage an operational approach that is built in concert with existing programs and capabilities to enable detection and identification of threats, assessment of those threats, and then development and implementation of both active and passive techniques to manage them. All three are necessary to proactively manage threats. This approach is best employed and supported by a multidisciplinary team from across your organization, with leadership, HR, Information Technology, legal counsel, security, and others, each supporting the effort.
Crisis Ready® Threat Management allows for consistent, systematic mitigation of the potential for nature, technology, or people to harm your organization, encouraging engagement across all organizational operations and functions. The combination of cultural and systemic action will fulfill five core functions:
- Establish and maintain a safe environment to prevent harm to people, places, things, and information which your organization values.
- Prevent and protect against threats becoming hazards by instituting policy, controls, procedures, and programs to protect the organization.
- Detect threatening or concerning environmental conditions and identify activities which may increase the level of active or passive threat.
- Assess information about actual or potential threats.
- Manage potential threats before they escalate to become hazards.
Establishing Your Threat Management Program
Just as there are fundamental principles and best practices for what makes up a successful threat management program, there are some recognized best practices as well as concepts, tools, and processes for establishing such a program.
Building on the planning framework presented in the FEMA Comprehensive Preparedness Guide (CPG) 101: Developing and Maintaining Emergency Operations Plans, I am going to offer some of those best practices within the Plan, Organize & Equip, Train & Execute, and Evaluate & Improve (POETE) framework.
Plan
- Secure Executive Engagement – Threat management programs require support from executive or senior leadership. Best practices from various sources demonstrate that programs directly aligned with the senior leadership of an organization are the most effective and have fewer impediments.
- Identify the Best Fit – Where does threat management fit within your organization? Should it be an independent entity or fall under an already established team?
- Determine Program Ownership – The program should be headed by a single individual supported by a multidisciplinary team. This individual will be responsible for the overall management and oversight of the program, with appropriate seniority and the ability to bring together multiple organizational activities.
- Establish Guiding Principles – Your organization should identify principles that will guide the development of your threat management program and ensure that they match the challenge, as well as fit within your structure, function, and culture.
- Develop Policy – Your threat management program will need formal policies and procedures, grounded in legal authorities. Your organization will need to ensure that you establish policies and procedures that are appropriate for your culture, mission, and locality, as well as conforming with applicable rules, regulations, and statues.
- Do Not Reinvent The Wheel – Your threat management program should leverage other programs already in use in your organization. Existing programs provide insight into useful approaches, transferable best practices, and techniques that can be tailored to the unique needs of your threat management program.
- Identify your “Crown Jewels” – What does your organization value, and what should it protect? Critical assets are people, things, or data that the organization values and are typically essential to your operation or business. These are both physical and intellectual in nature, including facilities, systems, equipment, personnel, technology, proprietary products, customer or vendor data, schematics, internal processes, and personnel privacy, to name a few examples.
Organize & Equip
- Establish a Threat Assessment Methodology and Risk Rubric – The data and information collected as part of your threat management program will drive your threat assessment and risk analysis processes. History and empirical research have shown that most threats follow a predictable pathway. As a best practice, your organization should educate itself regarding those findings, making sure not to forget that the past does not define the future, and allowances should be prepared for deviations from recognized patterns. When using assessment tools, it is critical to avoid overreliance on those tools. Human insight and intuition play a key role in practical threat analysis and should not be discounted.
- Risk Rubrics – Risk rubrics are evaluation tools, such as categories or scales, that use a rating or categorization system to communicate the type or level of risk presented by a threat or hazard. Rubrics can be generic or threat specific and are customizable based on your organization’s threat criteria and risk appetite. I provided some formulaic examples and approaches in part 3 of this series.
- Risk Rubrics – Risk rubrics are evaluation tools, such as categories or scales, that use a rating or categorization system to communicate the type or level of risk presented by a threat or hazard. Rubrics can be generic or threat specific and are customizable based on your organization’s threat criteria and risk appetite. I provided some formulaic examples and approaches in part 3 of this series.
- Establish a Multidisciplinary Threat Management Team – A multidisciplinary threat management team provides the analysis and management strategies that your organization will consider as a part of your threat management program. A team with a well-rounded composition of diverse members provides a versatile group that brings a wide variety of perspectives, capabilities, and backgrounds to address the threat environment.
- Develop an Incident Response Plan – Creating a formal response plan ensures that your organization’s response to a hazard is standardized, repeatable, and consistently applied. The plan should include a statement of scope, define roles and responsibilities, and provide guidelines for response operations, reporting procedures, and both escalation and de-escalation procedures. Supplements may be needed for specific internal guidelines and procedures that describe the use of specialized tools and channels of communication. All response procedures must follow legal, ethical, privacy, and civil liberties laws.
- Documentation and Recordkeeping – The documents generated in support of your threat management program need to be collected, retained, and disposed of following policies set forth by your organization. Your team should use a formal system of centralized recordkeeping. This will enable your team to retroactively confirm that actions taken to manage and mitigate threats are available to support the identification of best practices and lessons learned or to defend the decisions made and actions taken by your organization if necessary in response to litigation.
Train & Execute
- Sell the Program – Successful threat management programs require dedicated support from all levels within an organization. Start by framing the program in the context of your organization’s values. Leadership and member buy-in can provide your program with the explicit authority and legitimacy it requires to be effective. Emphasize the return on investment by revealing what could be lost to an unmitigated incident or event. An understanding of potential consequences impacting employment, revenue, operational capability, market edge, market share, and brand reputation, among many others, can help unify your organization’s people in support of a threat management program.
- Implement a Formal Training and Awareness Program – Training and awareness are critical processes in an active threat management program. All organizational personnel, including members, contractors, vendors, and consultants, should be given training to prevent the transition of a known threat to a hazard. A highly aware and adequately trained organization is key to early detection and prevention of threats and hazards.
Evaluate & Improve
- Conduct Exercises – Used to evaluate the effectiveness of your threat management program and the associated training, exercises will help determine if your program’s goals and objectives are being met. When assessing your organization’s capabilities, it is essential to use a progressive approach. Start slowly with small discussion-based exercises to test your organization’s knowledge and understanding of the threat environment and build to a full-scale operational exercise that stresses your team.
- Maintain the Program – To keep your threat management program current, you should establish a formal maintenance process for reviewing and revising the component policies, procedures, standards, and legal and regulatory obligations. The maintenance process should be a recurring activity with tasks scheduled monthly, semiannually, and annually. To help your program mature, your threat management team should have the time and resources available to remain current on evolving best practices and tools while benchmarking other programs and studying lessons learned from similar organizations across the globe. Your program should continuously change because the threat landscape is continually transforming. Technology is upgrading or becoming obsolete, organizations are reconfiguring or trying new processes, markets fluctuate, lessons are learned, information and insights are obtained, and priorities are adjusted.
- Oversight and Compliance – An essential concept in threat management is ensuring that there is a means in the organization to ensure the quality of the assessment and analysis being conducted. Your organization should designate individuals who will conduct independent evaluations of the program’s performance, including compliance with identified best practices and lessons learned from similar organizations. This oversight activity will enable the program to continue to learn and improve, provide accountability for those responsible for this function, and provide credibility to leadership and the general membership of your organization.
Use This to Strengthen Your Organization’s Resilience
The program management elements offered within this series of posts can help any organization, small or large, establish a practical Crisis Ready® Threat Management Program. Applying these concepts and tailoring them to your organization’s environment can provide a means to protect what you value.
Your program should not be focused on responding to disruptive incidents or events. Instead, it should be grounded in the notion of providing a safe environment for your organization and preventing threats from becoming hazards while mitigating the associated risk before an issue escalates to become a problem, emergency, or disaster.
I’ve outlined some clear best practice approaches, guidance and resources within this 5-part series. It’s our hope that you now choose to leverage them to your organization—and its people’s—advantage. If you have any questions as you undertake this important implementation, the Crisis Ready Team is always here to support you.
To your brand’s resilience.
Read the other parts of this 5-part series on developing your Threat Management Program:
Part 1: Defining and Categorizing Threats for your Organization
Part 2: Designing the Ability to Properly Detect a Threat
Part 3: Properly Assessing a Threat and Analyzing its Risk
Part 4: Best Practices for Threat Management
Aaron Marks is a Senior Principal with Dynamis, Inc. where he supports clients across the domestic National and Homeland Security communities and international public safety enterprise. He provides operational and subject matter expertise in intelligence analysis and targeting, disaster preparedness, crisis and incident management, and continuity of operations for healthcare related concerns. Aaron has provided in-depth review, assessment, and analysis for technology, policy, and operational programs impacting all levels of government. He is a recognized authority on the application of nontraditional techniques and methodologies to meet the unique requirements of training, evaluation, and analytic games and exercise for the National and Homeland Security communities.
Prior to joining Dynamis, Aaron was the Director of Operations for a commercial ambulance and Emergency Medical Services (EMS) provider in western New York State where he participated in the integration of commercial EMS and medical transportation resources into the local Trauma System. During his 30-year career Aaron has worked in almost every aspect of EMS except fleet services. This includes experience in Hazardous Materials and Tactical Medicine, provision of prehospital care in urban, suburban, rural, and frontier environments, and acting as a team leader for both ground and aeromedical Critical Care Transport Teams.
Aaron is a Master Exercise Practitioner and received a B.A. in Psychology from Texas Tech University in Lubbock, Texas and a master’s degree in Public Administration with a focus in Emergency Management from Jacksonville State University in Jacksonville, Alabama. He is also a Nationally Registered Paramedic and currently practices as an Assistant Chief with the Amissville Volunteer Fire and Rescue Department, Amissville Virginia.